This article explores the critical importance of detecting lateral movement within internal networks after initial intrusion, focusing on internal devices like routers, printers, and IoT devices. It emphasizes monitoring for suspicious connections to high-risk countries and internal endpoints to prevent escalation and exfiltration activities. #CyberThreatHunting #InternalNetworkSecurity
Tag: EDR
Microsoft 365 is expanding its Copilot features to more companion apps, including the upcoming addition of Calendar. However, these features are exclusively available for enterprise or business users, enhancing productivity with AI-powered suggestions across various apps. #Microsoft365 #Copilot #EnterpriseApps
Cybercriminals and nation-state actors are increasingly targeting high-impact areas such as government, energy, and financial sectors using sophisticated methods like phishing, malware, and supply chain attacks. Ongoing developments include new malware like Atroposia RAT and critical vulnerabilities like BIND9 flaw, highlighting the importance of proactive cybersecurity measures. #HijackLoader #PureHVNC #OperationZero #CVE2025-40778…
This article emphasizes the importance of continuous proof-based testing in cybersecurity over traditional predictions or compliance checks. It highlights how Breach and Simulation (BAS) has evolved into a daily security practice, providing real-time validation of defenses and enabling faster, evidence-backed responses to threats. #PicusBAS #ThreatSimulation…
ReversingLabs researchers discovered a self-replicating npm worm named Shai-hulud that compromises developer accounts to inject a malicious bundle.js into maintained packages, adding postinstall scripts that execute token-stealing and repo-exfiltration routines. The worm steals npm, GitHub, AWS and GCP tokens (using TruffleHog to find secrets), exfiltrates data to attacker-controlled GitHub repositories/branches, and attempts to make private repos public—impacting hundreds of packages including ngx-bootstrap, ng2-file-upload, and @ctrl/tinycolor. #Shai-hulud #ngx-bootstrap #TruffleHog
Kaspersky’s GReAT team revealed new tactics used by BlueNoroff, a subdivision of North Korea’s Lazarus Group, including campaigns GhostCall and GhostHire that leverage AI for advanced malware deployment. These operations target organizations involved in cryptocurrency, blockchain, and tech sectors across multiple continents, highlighting the increasing sophistication of cyber threats. #BlueNoroff #GhostCall…
Hudson Rock has uncovered Logins(.)zip, a new and highly effective infostealer that exploits Chromium vulnerabilities to rapidly extract up to 99% of saved credentials and cookies. This sophisticated tool outperforms legacy stealers with its evasion, reliability, and broad target support. #Logins.zip #ChromiumVulnerabilities
Salt Typhoon (aka Earth Estries / GhostEmperor / UNC2286) is a state-linked APT active since at least 2019 that has targeted telecoms, energy, and government systems worldwide using zero-day exploits, DLL sideloading, custom backdoors (SNAPPYBEE/Deed RAT), and obfuscated C2 channels. Darktrace observed a July 2025 intrusion against a European telco exploiting CVE-2025-5777 on Citrix NetScaler, delivering SNAPPYBEE via DLL side-loading and communicating with C2 domains such as aar.gandhibludtric[.]com. #SaltTyphoon #SNAPPYBEE
Socket Threat Research Team discovered 10 malicious typosquatted npm packages that use a multi-stage, cross-platform credential stealer distributed via npm postinstall hooks and a 24MB PyInstaller binary. The campaign uses four layers of JavaScript obfuscation, a fake CAPTCHA social-engineering step, IP fingerprinting, and exfiltration to C2 server 195[.]133[.]79[.]43. #data_extracter #195.133.79.43
Privileged access is the primary pathway attackers use to achieve high-impact compromises, and protecting both human and non-human privileged identities across on-premises and cloud environments is essential. Mandiant recommends a defense-in-depth PAM strategy—tiering, least privilege, PAWs, MFA, secrets management, detection (high-fidelity session telemetry and anomaly analytics), and practiced response including coordinated credential rotation—to reduce dwell time and blast radius. #Mandiant #GoogleSecOps
The ACCC is suing Microsoft for allegedly misleading Australian users into paying for the Copilot AI assistant in Microsoft 365 by hiding the option to retain their existing plans. This legal action follows accusations of deceptive practices related to pricing and renewal notifications. #MicrosoftCopilot #AustralianConsumerLaw
The Qilin ransomware operation is notable for using Windows Subsystem for Linux (WSL) to run Linux encryptors on Windows systems, helping them evade detection. This evolving tactics have led to over 700 attacks across 62 countries, exploiting legitimate remote tools and Windows utilities to breach networks and execute payloads. #Qilin #WinSCP
AI-powered web builders enable criminals to create convincing phishing and scam sites (VibeScams) from simple prompts or screenshots, dramatically lowering the technical barrier and accelerating brand impersonation across many platforms. Researchers blocked roughly 140,000 AI-generated malicious sites (about 580 per day) between early 2025 and August 2025, affecting users worldwide including the U.S., France, Brazil, Germany, and Japan. #VibeScams #Coinbase
CyberProof observed a surge in a Remcos infostealer campaign in Sep–Oct 2025 that used malicious email attachments, obfuscated PowerShell, and process hollowing of msiexec into RMClient.exe to deploy Remcos and harvest browser-stored credentials. The operation used compromised or malicious domains (e.g., icebergtbilisi.ge) to host payloads and employed continuous download-and-execute loops to ensure delivery. #Remcos #icebergtbilisi.ge
Trend Research uncovered an evolved Water Saci campaign that uses WhatsApp Web to deliver malicious ZIPs containing an obfuscated VBS downloader which launches a fileless PowerShell payload that hijacks browser sessions, harvests contacts, and self-propagates. The campaign pairs a dual-channel C2 infrastructure (email/IMAP to retrieve C2 URLs and aggressive HTTP polling)…